Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Trailrunner7 writes "There is a serious vulnerability in Java that makes all current browsers vulnerable to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years. The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning."

In recent times firefox seems to have removed the little "[ ] Enable Java" checkbox from the Options > Content page, however I've found if you go into Tools > Add-ons > Plugins you can disable the Java(TM) Platform SE 6 Uxx plugin from there, which seems like it does the trick.

That's probably why they removed it. Java is less and less popular so it makes sense to not make it as prominent. Plus it's not even built into the browser, it's a plugin, and now you can disable any plugin.

Java Webstart, not applet. Basically you download a.jnlp file, which is an xml config file telling it where to download an application to then execute. It's supposed to be sandboxed. But what matters is how your browser handles.jnlp files (or the corresponding mimetype), not how it handles applet tags (or the corresponding object tag).

Replying to myself, I know. I also just read TFA (!) and disabling the Java Platform plugin alone isn't enough!

--------------------Affected Software------------------------

All versions since Java SE 6 update 10 for Microsoft Windows are believed to beaffected by this vulnerability. Disabling the java plugin is not sufficient toprevent exploitation, as the toolkit is installed independently.

There's a seperate plugin called something like Java Deployment Toolkit which you also need to kill.

Offtopic, but you really should remove or replace that link in your sig if you want to be taken seriously on any topic related to Java (or.NET). It's so out of date it's not even funny - a lot of points are at best misleading, at at worst blatantly wrong - and you've been called out on that on/. several times already.

Actually, come to think of it, quite a few bullet points there were lies in 2004, as well, which makes me wonder if you're just ignorant, or deliberately spreading FUD.

I work for a reasonably large multi-national corporation, and we distribute a suite of server management tools as java applets. I don't ask why Java was chosen, and I don't know how well received the suite is by customers, but I know my job would be impossible without a JRE on my office workstation.

Using Java Web Start is comparable to clicking "Yes" when prompted to install "spyware.exe" or any other exe file. Java Web Start is a framework to deploy native Java applications on your machine more easily. Of course, you must trust the source just as you must trust the source when you install an exe file or Unix executable file.

Java Web Start is in no way comparable to Flash, Java Applets or the like that start executing in your browser without your permission and where a sandbox is used to run the code.

"Because the JavaWS technology is included in the Java Runtime Environment, which is used by all of the major browsers, the vulnerability affects all of these applications, including Firefox, Internet Explorer and Chrome, on all versions of Windows from 2000 through Windows 7, Santamarta said. Browsers running on Apple's Mac OS X are not vulnerable."

Why does everyone have to bring up this completely stupid and pointless "fact"? Here is a little "fact" of my own: The user only CARES about THEIR STUFF! Okay? Who gives a rat's fart if the system is fine if all your stuff is completely hosed? NOBODY, that's who!

Spoken like someone who hasn't had to administer antivirus in a while. The antivirus cares if the bot can affect it, and it's awfully difficult to install a rootkit without root access. So restricting it to user level access means that you're likely to catch it before it wipes out your stuff. And that's all I care about.

I just tested 1.6.0_18 and 1.6.0_19. Under IE8, both popped up an error that it couldn't download the exploit file. Firefox loaded Java, but nothing happened and no error was posted. So I would say, yes they are still vulnerable. It's just that the demo exploit file was not reachable.